Firewall Wizards mailing list archives
Re: w00w00 on AIM Filter (Backdoors & SpyWare)
From: Chad Schieken <cschieken () lucent com>
Date: Wed, 09 Jan 2002 08:01:45 -0500
Looks like we have a new form of attack. It seems akin the types of "semantic" attacks that Bruce Schneier talked about. Here the attacker publishes a vulnerability in a piece of widely used software, and points to another piece of software as the "solution". The solution contains the exploit code.
ouch! I got bit by this one (well, I downloaded installed and attempted to use AIM Filter). I was proud of myself for quickly implementing the "fix". Ugh.
Exactly how does a firewall protect against this type of attack? At 03:43 PM 1/8/2002, you wrote:
BugTraq readership: It has recently come to our attention that AIM Filter, which we recommended as an appropriate temporary solution for the AIM buffer overflows we published, actually contains backdoors and spyware. This became obvious when the source was released on January 5th, 2002. At the time, Robbie Saunders' AIM Filter seemed like a nice temporary solution. Unfortunately, it instead produces cash-paid click-throughs over time intervals and contains backdoor code combined with basic obfuscation to divulge system information and launch several web browsers to porn sites. We only took the time to verify that it blocked the attack, since an analysis of AIM filter wasn't our priority. Mea culpa. In the meantime, we've cleaned up the AIM Filter code and produced a modified version available on our website, and we've removed all the backdoors and spyware. For those of you who are still interested in using the software, we strongly recommend you use this modified version instead. You will find it at: http://www.w00w00.org/files/w00aimfilter.zip We apologize to the security community at large for this mistake. However, we think this is a very apt example of why closed-source programs can be deadly. You never know for sure what lurks under the hood of a binary executable, and of course U.S. Law (DMCA) forbids you from trying to find out. Once again, disclosure is your best friend. We urge readers to find out more about the DMCA at http://www.anti-dmca.org/. We would also like to take this opportunity to provide updated reference information on the original AIM vulnerability, which has now been assigned a CVE Candidate ID: CVE-2002-0005. --jordan and the w00w00 Security Team
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://list.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Re: w00w00 on AIM Filter (Backdoors & SpyWare) Chad Schieken (Jan 09)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Joseph S D Yao (Jan 11)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) M. Dodge Mumford (Jan 11)
- <Possible follow-ups>
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Carl Friedberg (Jan 10)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) R. DuFresne (Jan 11)
- RE: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Frank Knobbe (Jan 12)
- Re: Re: w00w00 on AIM Filter (Backdoors & SpyWare) Crispin Cowan (Jan 10)